Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
Hello The bug has been reported more than a week ago and the last status from the same date is that the Woody package is beeing investigated. Are there any news regarding the vulnerability status of the Woody package or the preparation of a DSA? bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879
Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
Christian Hammers wrote: Hello The bug has been reported more than a week ago and the last status from the same date is that the Woody package is beeing investigated. Are there any news regarding the vulnerability status of the Woody package or the preparation of a DSA? Luigi is taking a look. It's not yet clear whether this problem even exists in woody. Sid and sarge are fine. If you are able to fix the package in woody, that would help a lot. Regards, Joey -- There are lies, statistics and benchmarks. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote: Are there any news regarding the vulnerability status of the Woody package or the preparation of a DSA? Luigi is taking a look. It's not yet clear whether this problem even exists in woody. Sid and sarge are fine. If you are able to fix the package in woody, that would help a lot. Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody) and released an advisory today: http://www.mandriva.com/security/advisories?name=MDKSA-2005:078 Sadly I was just not able to find the following soruce package which probably includes the patch. Does anybody know where they hide their download server? corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm md5sum: 715494248752557eb0b718f2a4dd34c9 bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED]D-52064 Aachen Fax 0241/911879
Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
Christian Hammers wrote: On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote: Are there any news regarding the vulnerability status of the Woody package or the preparation of a DSA? Luigi is taking a look. It's not yet clear whether this problem even exists in woody. Sid and sarge are fine. If you are able to fix the package in woody, that would help a lot. Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody) and released an advisory today: http://www.mandriva.com/security/advisories?name=MDKSA-2005:078 Sadly I was just not able to find the following soruce package which probably includes the patch. Does anybody know where they hide their download server? corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm md5sum: 715494248752557eb0b718f2a4dd34c9 ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm Regards, Joey -- There are lies, statistics and benchmarks. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm md5sum: 715494248752557eb0b718f2a4dd34c9 ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm Great! They didn't fix it (no post patch in it) and added the setcookie patch that is not needed prior to 2.5.STABLE7. Still looking for a proof o concept to test the woody package. Regards, L This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#305605: CAN-2005-0718: remote DoS in Squid -- any progress?
Hello On 2005-04-29 Luigi Gangitano wrote: corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm md5sum: 715494248752557eb0b718f2a4dd34c9 ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm Great! They didn't fix it (no post patch in it) and added the setcookie patch that is not needed prior to 2.5.STABLE7. Still looking for a proof o concept to test the woody package. I found the following sentence in the last changelog entry of the Mandriva package and think it's interesting for those watching this bug: * Wed Apr 27 2005 Stew Benedict [EMAIL PROTECTED] 2.4.STABLE7-2.6.C21mdk - CAN-2005-0718 - patch not relevant, segfault occurs in an unprotected call to clientProcessBody, which isn't used in 2.4.STABLE7 In this case I can sleep better although it would be nice if you could get this confirmed by the Squid developers. If you kindly ask they will probably even test their PoC exploit against a Debian server even if they do not want to release it to the public. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]